Commit graph

829 commits

Author SHA1 Message Date
Jouni Malinen
77e3094bb7 hlr_auc_gw: Fix max_chal value validation
This was supposed to be at maximum EAP_SIM_MAX_CHAL (3).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 18:47:26 +03:00
Jouni Malinen
3e6547b5e8 hlr_auc_gw: Add support for processing command line operations
This allows hlr_auc_gw to be used to run a single operation without
having to use it as a server. This can be useful, e.g., for generating
GSM authentication triplets for external programs. For example:
./hlr_auc_gw -m hlr_auc_gw.milenage_db "SIM-REQ-AUTH 232010000000000"

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 18:42:37 +03:00
Jouni Malinen
9a50ee6d25 hlr_auc_gw: Update file comments to mention Milenage
The notes about using only fixed GSM authentication triplets were not
really up-to-date with the implementation. Milenage and GSM-Milenage
were available for EAP-SIM, EAP-AKA, and EAP-AKA'.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-29 17:29:44 +03:00
Kyeyoon Park
f224cf05ab HS 2.0: Allow printf format parsing with language:name strings
This allows Hotspot 2.0 and Interworking strings that use language:name
string (e.g., venue_name) to be encoded using printf format to enter
special characters like newline.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-09-25 14:43:40 +03:00
Jouni Malinen
04e533e249 Fix language string length validation in parse_lang_string()
The language string length needs to be validated to hit into the
three-octet lang field in struct hostapd_lang_string before copying
this. Invalid configuration entries in hostapd.conf could have resulted
in buffer overflow.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-09-25 14:42:39 +03:00
Jouni Malinen
cdf8bfa434 Disallow WEP configuration in WPA network
Some drivers fail to work if WEP keys are configured in a WPA network.
To avoid potentially confusing error cases, reject hostapd configuration
that enables WPA and includes parameters that would imply that WEP keys
would be set.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 17:18:45 +03:00
Michal Kazior
50f4f2a066 hostapd: Add Automatic Channel Selection (ACS) support
This adds ACS support to hostapd. Currently only survey-based
algorithm is available.

To use ACS you need to enable CONFIG_ACS=y in .config and use
channel=0 (or channel=acs_survey) in hostapd.conf.

For more details see wiki page [1] or comments in src/ap/acs.c.

[1]: http://wireless.kernel.org/en/users/Documentation/acs

Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
2013-08-31 11:51:06 +03:00
Jouni Malinen
2c6f8cf6c8 Replace perror() with wpa_printf(strerror) in ctrl_iface calls
This replaces number of perror() calls with wpa_printf() to get the
error messages embedded within rest of the debug messages in the same
stream instead of pushing these to stderr which may get directed to
another location.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-26 11:46:21 +03:00
Jeffin Mammen
3351a3847c WPS: Add control interface command for fetching latest status
The new wps_get_status command can be used to fetch the result of the
latest WPS operation and the current PBC state from hostapd.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-08-23 17:49:01 +03:00
Michael Braun
c2db79f237 VLAN: Remove vlan_tail
Everything in hostapd can be implemented efficiently without vlan_tail.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-08-04 21:45:50 +03:00
Sujith Manoharan
3f9a8137f5 hostapd: Add a config option to control beaconing
In a AP/STA concurrent setup, if the STA interface is continually
scanning, trying to connect to a network, the AP interface
is basically broken since beaconing would be erratic.

This option can be used in a WDS setup where one AP acts as a
Client/AP-Repeater. The Repeater AP interface has to start beaconing
only after the Client interface has established a WDS link with the
"Root AP".

Signed-hostap: Sujith Manoharan <c_manoha@qca.qualcomm.com>
2013-07-20 17:20:43 +03:00
Jouni Malinen
fe65847bb1 EAP-EKE: Add server implementation
This adds a new password-based EAP method defined in RFC 6124.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-07-07 20:30:10 +03:00
Jouni Malinen
67fe933d40 Add server identity configuration for EAP server
The new server_id parameter in hostapd.conf can now be used to specify
which identity is delivered to the EAP peer with EAP methods that
support authenticated server identity.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-07-07 20:30:10 +03:00
Jouni Malinen
080585c01a Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.

hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).

This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-06-30 01:01:15 +03:00
Michael Braun
459eee923c bridge: Use safe default bridge interface
Currently by default, all BSS share the bridge brvlan%d.
While this is sane when no tagged-interface is given, this
is insane when different tagged interfaces are given, as
it would result in bridging those tagged interfaces.

This patch therefore uses br%s%d with %s=tagged_interface
and %d=VLAN ID as bridge name when a tagged-interface is given.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-06-25 11:10:00 +03:00
Michael Braun
2aaeedfa07 bridge: Give bridge name in per-bss configuration
Currently, when different BSS using different tagged vlan
interfaces, they are forced to share the bridge brvlan#,
which is not desirable.

This patch fixes this by making the bridge name configurable.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-06-25 11:09:01 +03:00
Jouni Malinen
962b8b36e6 Android: Add PMF support to hostapd build
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-05-29 18:06:29 +03:00
Jouni Malinen
eb4737f6df Fix ESS_DISASSOC ctrl_iface command parser
strchr can return NULL and that needs to be checked instead of what the
pointer could be pointing to.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-05-25 19:55:32 +03:00
Jouni Malinen
3cb953e4b6 Do not set driver MAC ACL unless driver supports this
This cleans up debug log by not including comments about failed
operations in case the operation is known to fail due to not being
supported by the driver.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-05-24 13:37:22 +03:00
Jouni Malinen
8e1bc70231 WNM: Fix ess_disassoc timeout to be specified in TBTTs
This was previously claimed to be in ms, but the field in BSS Transition
Management Request frame is in number of TBTTs (beacon interval). Use
that unit in the ESS_DISASSOC control interface command to be able to
specify any value and just modify the timeout value to be calculated
based on beacon interval.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-05-23 16:50:32 +03:00
Jouni Malinen
901d1fe1e5 WNM: Remove PMKSA cache entry on ESS disassoc imminent notification
This is needed to avoid allowing the STA to reconnect using a cached
PMKSA. ESS disassoc imminent notification is normally used to indicate
that the STA session will be terminated and as such, requiring full
authentication through the authentication server after this is needed.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-05-23 16:50:06 +03:00
Kyeyoon Park
d5b559b641 WNM: Add disassociation timeout processing for ESS_DISASSOC
The hostapd_cli ess_disassoc command now takes three arguments (STA MAC
address, timeout in ms, URL) and the STA is disconnected after the
specified timeout.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-05-20 11:13:40 +03:00
Jouni Malinen
47bfe49c31 Add wpa_msg_global() for global events
This function can be used instead of wpa_msg() and wpa_msg_ctrl() to
indicate that an event is not specific to a network interface.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-05-18 14:19:24 +03:00
Jouni Malinen
b83b1b2da8 Android: Clarify keystore include directories
This updates hostapd to build using the new keystore header file
location and adds a note that the old frameworks/base/cmds/keystore can
be removed at some point in the future when old Android releases do not
need to be supported.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-05-18 12:03:35 +03:00
Simon Wunderlich
732118eca3 Rename hostapd_parse_rates() to a more generic int list parser
This can be used with other integer lists than just rates.

Signed-hostap: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
2013-05-09 20:27:47 +03:00
Simon Wunderlich
b113a171ac DFS: Add ieee80211h hostapd configuration parameter
This patch is based on the original work by Boris Presman and
Victor Goldenshtein. Channel Switch Announcement support has been
removed and event handling as well as channel set handling was
changed, among various other changes.

Cc: Boris Presman <boris.presman@ti.com>
Cc: Victor Goldenshtein <victorg@ti.com>
Signed-hostap: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
2013-05-09 20:14:53 +03:00
Johannes Berg
7af092a015 hostapd: Add Key MIC in group EAPOL-Key frames corruption test option
For some testing it can be useful to force the Key MIC in group
EAPOL-Key frames to be corrupt. Add an option to allow setting a
probability for corrupting the Key MIC and use it in the WPA code,
increasing the first byte of the MIC by one to corrupt it if desired.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-05-04 11:45:03 +03:00
Jouni Malinen
ee28f088a5 hostapd: Add more messages for error paths
Make hostapd more verbose if something goes wrong in interface
initialization.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-04-29 13:52:34 +03:00
Jouni Malinen
61d2ce21af hostapd: Reject configuration file without interface parameter
Previously, this was initialized partially, but the interface was
not really started. That could result in eloop_run() returning
immediately and hostapd process getting stopped without any clear
indication of a failure. [Bug 479]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-04-29 13:51:42 +03:00
Jouni Malinen
8b44ad7e16 Use os_zalloc() instead of os_malloc() + os_memset()
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-04-27 23:05:52 +03:00
Michael Braun
7ca902b53e Make vlan_file optional if dynamic_vlan is used
My APs generate their configuration on their own using a different
number of (vlan-enabled) bss. Currently, all my vlan_file files consist
of a single line: the wildcard line. Configuration file generation would
be easier, if the hostapd configuration file would not depend on those
simple vlan_file files.

This patch removes the need for those one-line files by using the
<device>.<vlan> naming scheme if no vlan_file is given (or that file is
empty). This should not break any existing setup, as using dynamic_vlan
with no vlan configured does not make sense anyway.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-04-27 22:53:34 +03:00
Johannes Berg
c2aff6b1d1 hostapd: Add some testing options
In order to test clients in scenarios where APs may (randomly)
drop certain management frames, introduce some testing options
into the hostapd configuration that can make it ignore certain
frames. For now, these are probe requests, authentication and
(re)association frames.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-04-23 17:51:28 +03:00
Jouni Malinen
cd61936a4a hostapd: Show more helpful message for -g and -G errors
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-04-01 18:17:24 +03:00
Johannes Berg
8cd6b7bce8 hostapd/wpa_s: Use driver's extended capabilities
Some extended capabilities (I'm currently interested in "Operating Mode
Notification" for VHT) are implemented by the kernel driver and exported
in nl80211. Use these in hostapd/wpa_supplicant.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-03-31 21:51:44 +03:00
Jouni Malinen
a679c0f284 WPS: Allow hostapd process to control independent WPS interfaces
The new wps_independent=1 configuration parameter can be used to remove
interfaces from the shared hostapd process WPS control (i.e., to apply
WPS operations only to a subset of interfaces instead of all).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-31 12:34:35 +03:00
Jouni Malinen
187f87f04c hostapd: Allow ctrl_iface group to be specified on command line
The new -G<group> command line argument can now be used to set the group
for the control interfaces to enable cases where hostapd is used without
a configuration file and the controlling program is not running with
root user privileges.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-29 17:09:31 +02:00
Jouni Malinen
ce9283a401 Android: Use CONFIG_WNM mode consistently
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. This is similar to the Makefile
change in commit ad3872a372.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-17 20:13:46 +02:00
Jouni Malinen
3b335329b9 Android: Update Android.mk based on Makefile changes
This brings the Android makefiles a bit closer to the Makefile changes
that had been missed in the past.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-17 20:08:23 +02:00
Jouni Malinen
c3aa4da94d Convert WPS NFC python scripts from using wpactrl to wpaspy
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-16 21:47:10 +02:00
Jouni Malinen
03cd173bd8 WPS: Clear sent_carrier to avoid errors in python script
This is needed to avoid errors when reporting the result of an NFC
connection handover that failed.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-24 13:12:32 +02:00
Jouni Malinen
7bfe27778b WPS: Update NFC connection handover documentation
The last couple of changes to the control interface commands for NFC
connection handover had not yet been documented.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-15 11:51:28 +02:00
Jouni Malinen
042ec551d4 WPS: Use pre-configured NFC password token instead of overriding it
"WPS_NFC_TOKEN <WPS/NDEF>" used to generate a new NFC password token
regardless of whether there was a pre-configured token in the
configuration. Change this to use the pre-configured value, if
available, instead. This allows the same command to be used to write the
password token to an NFC tag more conveniently.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-15 11:24:29 +02:00
Jouni Malinen
e47588279a WPS: Report NFC connection handover completion differently
Instead of reporting only one connection handover message, report
completion of NFC connection handover with carrier record from both the
request and select messages.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-11 18:43:46 +02:00
Jouni Malinen
bd692a8b0e WPS: Change listen time to match nfcpy default (250 ms)
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-02-10 18:49:20 +02:00
Jouni Malinen
51e985dd84 WPS: Update nfcpy script to support AP mode NFC connection handover
Initialize NFC connection handover as the server and reply with WPS
carrier record in connection select.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-02-10 17:24:43 +02:00
Jouni Malinen
6772a90ad0 WPS: Add command for fetching carrier record for NFC handover
Control interface command "NFC_GET_HANDOVER_SEL NDEF WPS-CR" can now be
used to fetch WPS carrier record from hostapd.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-02-10 17:12:55 +02:00
Jouni Malinen
8414860422 WPS: Remove 0.5 sec extra wait from NFC handover with nfcpy
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-02-10 16:27:14 +02:00
Jouni Malinen
dc6bda1123 WPS: Use alternating poll/listen for NFC peer discovery with nfcpy
This is needed to find the NFC peer to avoid cases where both devices
could be using the same operation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-02-10 16:25:20 +02:00
Jouni Malinen
8140ae969b WPS: Configure logging to show nfcpy log message
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-02-10 16:20:25 +02:00
Jouni Malinen
68f51f9af8 WPS: Add an example python script for NFC operations with hostapd
wps-ap-nfc.py uses nfcpy and python-wpactrl to support NFC operations
with hostapd for WPS operations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-02-09 20:44:15 +02:00